Mobile terminals may use smart cards, such as Universal Integrated Circuit Cards (UICCs) to access various types of networks. The smart cards may provide services that ensure the integrity and security of personal data.
Generic bootstrapping architecture (GBA) is a standard defined by the Third Generation Partnership Project (3GPP) for authentication of a user of a mobile terminal. GBA relies on a shared secret between the mobile terminal and an application server. The mobile terminal and the application server are mutually authenticated through an intermediary server, referred to as a bootstrapping server function (BSF), that arranges a security relation between the mobile terminal and the application server.
In some situations, the smart card installed in the mobile terminal may be a trusted entity that is under the control of the network provider. The rest of the mobile terminal (i.e., the user equipment), however, may not necessarily be a trusted entity. Under GBA, the authentication of the mobile terminal and the server are based on the assumption that the user equipment is trusted. This can potentially lead to security vulnerabilities at the user equipment or in the interface between the user equipment and the smart card.